Search This Blog

APEX ReadOnly Pages - The easy way

If your Oracle APEX Application requires different types of access - full access or readonly - for different types of users, you can specify a Read Only Condition on Page level (or Region, Item, Button, etc.).

You can set an Authorization Scheme on Application level, so it'll be applied to all pages. So if you have an Authorization Scheme named 'User Can Access Page' defined by a PL/SQL function like this:

return apex_authorization.user_can_access_page

( p_app_id => :APP_ID

, p_page_id => :APP_PAGE_ID

, p_user => :APP_USER

);

then you can code all the logic in the database using the APEX Repository, your own tables or a combination to define whether a user has access to that page or not.

But alas it is not possible to define something similar Application wide for a Read Only condition. You can specify an Authorization Scheme 'User has Read Only Access' using a similar signature as the one above and use that on each and every page in the Read Only Condition using the APEX API:

that way you still hide the PL/SQL logic. But you have to apply that to every Page ... and that's not very developer friendly. Another downside is that the Page is actually really rendered as readonly: It looks very different to the same page in regular updatable mode. So your layout may be screwed. The advantage is, it is (almost) impossible to hack a page rendered like that to make an illegal update to your database.

So can we achieve a similar / better result with less effort?

Yes, we can. Let's define a Dynamic Action (DA) on Page 0 that'll only run when our previously defined "ReadOnly" Authorization Scheme is met. That DA will run a snippet of JavaScript "On Page Load" :

So this is removing a number of "update" buttons and set all items to readonly and disabled. Be aware the selectors - especially for the buttons - may be different on your own environment depending on template settings etc.

But although the initial result looks good, as the layout isn't changed and all the items are not updatable, it isn't very secure. The buttons are removed - which is already a tad safer than just disabling them - but I can re-enable all the Page Items with just one line of JavaScript. And also a page submit doesn't require a lot of JavaScript knowledge. So if I can open up my browser console, it is easy to conquer this carefully crafted Read Only Page...

And of course we can add a Condition or Authorization Scheme to every page process to make sure they only run for users with full access, but that would require a lot work again!

So we have to close down the backend as well. And preferably not by adding triggers on every table.... But we can interfere with the PL/SQL that's executed when the page is submitted: There is a section called "Initialization PL/SQL Code" under Security Settings. Although that sounds like it runs only when you "initialise" a page .... it also runs when you initialise a submit!

So if we enter something like this piece of PL/SQL in that section:

if apex_authorization.user_has_read_only_access

( p_app_id => :APP_ID

, p_page_id => :APP_PAGE_ID

, p_user => :APP_USER

) and :REQUEST in ('SAVE', 'DELETE', <and a lot more>)

then

raise_application_error( -20000, 'You are trying to make some changes with Read Only privileges' );

end if;

a user with Read Only access who tries to fire an illegal SAVE or DELETE request, will be blocked (although that message isn't shown). If you look in the (standard) DML Processes you can see there are quite a lot of requests that should be in that list. Be aware that other - especially unconditional request - are not protected by this!

But with just one snippet of JavaScript and one piece of PL/SQL we implemented a Read Only feature on each and every page of our application - and the pages still look exactly the same!

Popular posts from this blog

For pushing changes from the database to the end user, the regular solution is using websockets. A change in a record is detected - using a trigger or using the CQN (Change Query Notification) feature - and a notification is send to a websocket server. That websocket server broadcasts the notification over a channel to all browsers that are tuned in to that websocket channel. Then the browser reacts to that notification, usually showing an alert or refreshing a report. This trick is described on multiple sites, just Google for "oracle apex websockets" or similar.

So back in the old days, we used that notification in the browser to refresh the (interactive) report. But along comes the Interactive Grid (IG). While he full-refresh mechanism still works for IG, an IG has also the option to refresh just one row.
So wouldn't it be awesome that just the changed row(s) get refreshed upon a change in the database, instead of the whole report? Can we do it ... yes we can!
First i…

Last week the SS Rotterdam was the beautiful location of the largest gathering of APEX Developers worldwide. With around 380 (!) attendees a new high was set. And they came from all over the world : I spotted people from The Netherlands, Belgium, Switzerland, Austria, Croatia, Germany, Denmark, Norway, UK, Ireland and the USA. And I even might have missed one or two ….

The event started with a presentation by the “father of APEX”, Mike Hichwa, talking about "Oracle APEX Past, Present and Future”. Of course everyone is curious what the APEX future might bring: Friendly URL’s, automated testing, more JSON, concurrent APEX versions, third party Oauth 2 authentication (think Facebook, Google), APEX app diff and more, a lot more, REST capabilities. And now we have to wait for APEX 5.2 … and that might take a while!
After this keynote, the conference split up in three tracks. After the coffee break I returned to to big theatre where Geertjan Wielenga talked about "Finally Javas…

Nowadays Docker is everywhere. It is one of the main components of Continuous Integration / Continuous Development environments. That alone indicates Docker has to be seen more as a Software Delivery Platform than as a replacement of a virtual machine.

However ...

If you are running an Oracle database using Docker on your local machine to develop some APEX application, you will probably not move that container is a whole to test and production environments. Because in that case you would not only deliver a new APEX application to the production environment - which is a good thing - but also overwrite the data in production with the data from your development environment. And that won't make your users very excited.
So in this set up you will be using Docker as a replacement of a Virtual Machine and not as a Delivery Platform.
And that's exactly the way Martin is using it as he described in this recent blog post. It is an ideal way to get up and running with an Oracle database …